WORM_KASIDET.SC
TR/AD.Kasidet.Y.40 (Avira); Win32/Injector.Autoit.BSO (ESET-NOD32); Trojan:Win32/MultiInjector.A!rfn (Microsoft)
Windows
Threat Type: Worm
Destructiveness: No
Encrypted: Yes
In the wild: Yes
OVERVIEW
This is one of the samples related to the Neutrino bot or Kasidet. Its code was leaked in the underground forum last July 2015. This malware specifically affects PoS systems running on Windows operating systems (OS).
To get a one-glance comprehensive view of the behavior of this Worm, refer to the Threat Diagram shown below.
This worm arrives via removable drives. It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
It executes commands from a remote malicious user, effectively compromising the affected system.
TECHNICAL DETAILS
Arrival Details
This worm arrives via removable drives.
It may arrive via network shares.
It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This worm drops the following files:
- %User Temp%\incl1
- %User Temp%\incl2
- %User Temp%\{random digits 1}
- %User Temp%\{random digits 2}
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops and executes the following files:
- %User Temp%\delself.bat ← used to delete itself
(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It drops the following copies of itself into the affected system:
- %Application Data%\OWZCEN323F\{random filename}.exe
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It creates the following folders:
- %Application Data%\OWZCEN323F
- %Application Data%\OWZCEN323F\logs
(Note: %Application Data% is the Application Data folder, where it usually is C:\Documents and Settings\{user name}\Application Data on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Roaming on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
It adds the following mutexes to ensure that only one of its copies runs at any one time:
- OWZCEN323F
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random filename}.exe = "%Application Data%\OWZCEN323F\{random filename}.exe" ← (if user is Admin)
HKEY_CURRENT_USER\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
{random filename}.exe = "%Application Data%\OWZCEN323F\{random filename}.exe"
Other System Modifications
This worm adds the following registry keys:
HKEY_CURRENT_USER\Software\N3NNetwork
It adds the following registry entries:
HKEY_CURRENT_USER\Software\N3NNetwork
arr = "{base-64 value}"
HKEY_CURRENT_USER\Software\N3NNetwork
rate = "{value}"
HKEY_CURRENT_USER\Software\N3NNetwork
{random digits} = "{value}"
Propagation
This worm drops the following copy(ies) of itself in all removable drives:
- {Drive Letter}:\{random filename}.exe
It uses the following file names for the copies it drops into shared networks:
- PhotoExplorer.exe
It drops an AUTORUN.INF file to automatically execute the copies it drops when a user accesses the drives of an affected system.
The said .INF file contains the following strings:
[autorun]
OPEN={random filename}.exe
action=Run
Backdoor Routine
This worm executes the following commands from a remote malicious user:
- Download and Execute Files (.vbs, .dll)
- Find Files
- Update itself
- Uninstall itself
- Perform Remote Shell
- Visit Specific URL
- Performs DDOS attack
- Spread to Removable drives
- Spread to Network Shares folder:
- ShareDocs
- Admin
- C
- D
- E
- Create Schedule Task (pointed to itself)
- Modifies Shortcuts files in Startup Folder (pointed to itself)
- Log Keystrokes
- Copy Clipboard
- Capture screenshots
It connects to the following URL(s) to send and receive commands from a remote malicious user:
- http://{BLOCKED}n.in/ServerSide/tasks.php
As of this writing, the said sites are inaccessible.
Information Theft
This worm gathers the following data:
- OS Version
- Machine GUID
- Installed AV Software
NOTES:
{random filename} is either svchost.exe or any .exe file found in %Windows% directory that does not contain the following strings:
- install
- setup
- update
- patch
It scans the memory of all running processes to get credit card data Track 1 and 2 except for the following processes:
- [System]
- smss.exe
- csrss.exe
- winlogon.exe
- lsass.exe
- spoolsv.exe
- devenv.exe
It hooks Windows API of the following browsers and clients:
- Firefox
- Chrome
- Internet Explorer
- Opera
- FTP client server
It checks for the following:
- Running Process
- SandboxieRpcSs.exe
- SandboxieDcomLaunch.exe
- Debugger
- Remote Debugger
- If COMPUTER NAME contains the following strings:
- MALTEST
- TEQUILABOOMBOOM
- SANDBOX
- VIRUS
- MALWARE
- If the path of the file contains the following strings:
- SAMPLE
- VIRUS
- SANDBOX
- If kernel32.dll exports the following function:
- wine_get_unix_file_name
- If any of the following registries are present:
- HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Tools
- HKEY_LOCAL_MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions
- If the value of the following registry entry contains VMWARE,VBOX,QEMU
- HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
Identifier
- HKEY_LOCAL_MACHINE\HARDWARE\DEVICEMAP\Scsi\Scsi Port 0\Scsi Bus 0\Target Id 0\Logical Unit Id 0
- If the value of the following registry entry contains VBOX,QEMU,BOCHS
- HKEY_LOCAL_MACHINE\HARDWARE\Description\System
SystemBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\Description\System
- If the value of the following registry entry contains VIRTUALBOX
- HKEY_LOCAL_MACHINE\HARDWARE\Description\System
VideoBiosVersion
- HKEY_LOCAL_MACHINE\HARDWARE\Description\System
If any of the conditions is met, it terminates itself and displays an error message.
SOLUTION
Step 1
Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.
Step 2
Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.
Step 3
Restart in Safe Mode
Step 4
Delete this registry value
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- {random filename}.exe = "%Application Data%\OWZCEN323F\{random filename}.exe"← (if user is Admin)
- {random filename}.exe = "%Application Data%\OWZCEN323F\{random filename}.exe"← (if user is Admin)
- In HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- {random filename}.exe = "%Application Data%\OWZCEN323F\{random filename}.exe"
- {random filename}.exe = "%Application Data%\OWZCEN323F\{random filename}.exe"
Step 5
Delete this registry key
Important: Editing the Windows Registry incorrectly can lead to irreversible system malfunction. Please do this step only if you know how or you can ask assistance from your system administrator. Else, check this Microsoft article first before modifying your computer's registry.
- In HKEY_CURRENT_USER\Software
- N3NNetwork
- N3NNetwork
Step 6
Search and delete these folders
- %Application Data%\OWZCEN323F
Step 7
Search and delete this file
- %User Temp%\incl1
- %User Temp%\incl2
- %User Temp%\{random digits 1}
- %User Temp%\{random digits 2}
- %User Temp%\delself.bat
Step 8
Search and delete AUTORUN.INF files created by WORM_KASIDET.SC that contain these strings
OPEN={random filename}.exe
action=Run
Step 9
Restart in normal mode and scan your computer with your Trend Micro product for files detected as WORM_KASIDET.SC. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.
Did this description help? Tell us how we did.